This content was last updated in September 2022 and represents the status quoas of the time that it was written. Google's security policies and systems maychange going forward, as we continually improve protection for our customers.
At Google, our comprehensive security strategy includes encryption at rest,which helps to protect customer content from attackers. We encrypt all Googlecustomer content at rest, without any action required by you, using one or moreencryption mechanisms. This document describes our approach to defaultencryption at rest for Google infrastructure and Google Cloud, and how we use itto keep customer information more secure.
This document is for security architects and security teams who are currentlyusing or considering Google. This document assumes a basic understanding ofencryption andcryptographic primitives.For more information on cryptography, seeIntroduction to Modern Cryptography.
Encryption at rest is encryption that is used to help protect data that isstored on a disk (including solid-state drives) or backup media. All data thatis stored by Google is encrypted at the storage layer using the AdvancedEncryption Standard (AES) algorithm, AES-256. We use a common cryptographiclibrary, Tink, which includes our FIPS 140-2 validated module (namedBoringCrypto)to implement encryption consistently across Google Cloud.
We manage the keys used in default encryption at rest. If you useGoogle Cloud, Cloud Key Management Service lets you create your own encryption keys thatyou can use to add envelope encryption to your data. Using Cloud KMS,you can create, rotate, track, and delete keys. For more information, seeCloud Key Management Service deep dive.
How encryption at rest helps to secure data
Encryption at rest is one piece of a broader security strategy. Encryption hasthe following benefits:
- Helps to ensure that if data falls into an attacker's hands, theattacker cannot read the data without also having access to the encryptionkeys. Even if attackers obtain the storage devices that contain customerdata, they won't be able to understand or decrypt it.
- Helps to reduce the surface of attack by cutting out the lower layers ofthe hardware and software stack.
- Acts as a chokepoint because centrally managed encryption keys create asingle place where access to data is enforced and can be audited.
- Helps to reduce the attack surface because instead of having to protectall data, businesses can focus their protection strategies on theencryption keys.
- Provides an important privacy mechanism for our customers. When data isencrypted at rest, it limits the access that systems and engineers have tothe data
What is customer data?
As defined in theGoogle Cloud terms of service,customer data is data that customers or end users provide to Google throughthe services under their account. Customer data includes customer content andmetadata.
Customer content is data that you generate yourself or provide to us, like datastored in Cloud Storage, disk snapshots used by Compute Engine, andIAM policies. This document focuses on default encryption at restfor customer content.
Customer metadata makes up the rest of your data. Customer metadata couldinclude auto-generated project numbers, timestamps, IP addresses, the byte sizeof an object in Cloud Storage, or the machine type inCompute Engine. Metadata is protected to a degree that is reasonable forongoing performance and operations.
Default encryption of data at rest
Google encrypts all customer content stored at rest, without any action fromyou, using one or more encryption mechanisms. The following sections describethe mechanisms that we use to encrypt customer content.
Layers of encryption
Google uses several layers of encryption to help protect data. Using multiplelayers of encryption adds redundant data protection and allows us to select theoptimal approach based on application requirements.
The following diagram shows the several layers of encryption that are generallyused to protect user data in Google production data centers. Either distributedfile system encryption or database and file storage encryption is in place for all userdata, and storage device encryption is in place for all data inGoogle production data centers.
Encryption at the hardware and infrastructure layer
All of Google's storage systems use a similar encryption architecture, thoughimplementation details differ from system to system. Data is broken into subfilechunks for storage; each chunk can be up to several gigabytes in size. Eachchunk is encrypted at the storage level with an individual data encryption key(DEK): two chunks won't have the same DEK, even if they are owned by the samecustomer or stored on the same machine. (A data chunk in Datastore,App Engine, and Pub/Sub may contain the data of multiple customers.
If a chunk of data is updated, it is encrypted with a new key, rather than byreusing the existing key. This partitioning of data, each using a different key,limits the risk of a potential data encryption key compromise to only that datachunk.
Google encrypts data before it is written to a database storage system orhardware disk. Encryption is inherent in all of our storage systems, rather thanadded afterward.
Each data chunk has a unique identifier. Access control lists (ACLs) help toensure that each chunk can be decrypted only by Google services that operatewith authorized roles, which are granted access only at that point in time. Thisaccess limitation helps to prevent access to the data without authorization,strengthening data security and privacy.
Each chunk is distributed across our storage systems and is replicated inencrypted form for backup and disaster recovery. An attacker who wants to accesscustomer data would need to know and be able to access two things: all of thestorage chunks that correspond to the data that they want and all of theencryption keys that correspond to the chunks.
The following diagram shows how data is uploaded to our infrastructure and thenbroken into encrypted chunks for storage.
We use the AES algorithm to encrypt data at rest. All data at the storage levelis encrypted by DEKs, which use AES-256 by default, with the exception of asmall number ofPersistent Disks that were created before 2015 that use AES-128. AES is widely used because bothAES-256 and AES-128 are recommended by theNational Institute of Standards and Technology (NIST) for long-term storage use, and AES is often included as part of customercompliance requirements.
Encryption at the storage device layer
In addition tostorage system level encryption,data is also encrypted at the storage device level with AES-256 for hard diskdrives (HDD) and solid-state drives (SSD), using a separate device-level key(which is different from the key used to encrypt the data at the storage level).A small number of legacy HDDs use AES-128. SSDs used by Google implement AES-256for user data exclusively.
Encryption of backups
Our backup system ensures that data remains encrypted throughout the backupprocess. This approach avoids unnecessarily exposing plaintext data.
In addition, the backup system further encrypts most backup files independentlywith their own DEK. The DEK is derived from a key that is stored in Keystore anda randomly generated per-file seed at backup time. Another DEK is used for allmetadata in backups, which is also stored in Keystore.
FIPS compliance for data at rest
Google uses aFIPS 140-2 validated encryption module(certificate 3318) in our production environment.
Because of the high volume of keys at Google, and the need for low latency andhigh availability, DEKs are stored near the data that they encrypt. DEKs areencrypted with (wrapped by) a key encryption key (KEK), using a technique knownasenvelope encryption.These KEKs are not specific to customers; instead, one or more KEKs exist foreach service.
These KEKs are stored centrally in Keystore, a repository built specifically forstoring keys. Having a smaller number of KEKs than DEKs and using a centralKeystore makes storing and encrypting data at our scale manageable, and lets ustrack and control data access from a central point.
In Google Cloud, each customer can have shared and non-shared resources.An example of a shared resource is a shared base image inCompute Engine. For shared resources, multiple customers refer to asingle copy, which is encrypted by a single DEK. Non-shared resources are splitinto data chunks and encrypted with keys that are separate from the keys usedfor other customers. These keys are even separate from those that protect otherpieces of the same data owned by that same customer. Exceptions are data storedin Datastore, App Engine, or Pub/Sub, wheremore than one customer's data may be encrypted with the same DEK.
The storage system generates DEKs using Google's common cryptographic library.In general, DEKS are then sent to Keystore to wrap with that storage system'sKEK, and the wrapped DEKs are passed back to the storage system to be kept withthe data chunks. When a storage system needs to retrieve encrypted data, itretrieves the wrapped DEK and passes it to Keystore. Keystore then verifies thatthis service is authorized to use the KEK and, if so, unwraps and returns theplaintext DEK to the service. The service then uses the DEK to decrypt the datachunk into plaintext and verify its integrity.
All Google Cloud storage systems adhere to this key management model, butmost systems also implement additional levels of storage-side KEKs to create ahierarchy of keys. This allows the systems to provide low latency while usingthe highest-level KEK (stored in Keystore) as their root of trust.
Most KEKs for encrypting data chunks are generated within Keystore, and therest are generated inside the storage services. For consistency, all KEKs aregenerated using Google's common cryptographic library, using a random numbergenerator (RNG) built by Google. This RNG is based on NIST 800-90Ar1 CTR-DRBGand generates an AES-256 KEK. (In the past, this was AES-128, and some of thesekeys remain active for decrypting data.)
The RNG is seeded fromIntel's RDRAND instruction and the Linux kernel's RNG. In turn, the Linux kernel's RNG is seeded frommultiple independent entropy sources, including RDRAND and entropic events fromthe data center environment (for example, fine-grained measurements of diskseeks and inter-packet arrival times).
DEKs are wrapped with KEKs using AES-256 or AES-128, depending on theGoogle Cloud service. We are currently working on upgrading all KEKs forGoogle Cloud services to AES-256.
Keystore was built solely for the purpose of managing KEKs. By design, KEKsused by storage systems aren't exportable from Keystore; all encryption anddecryption with these keys must be done within Keystore. This helps to preventleaks and misuse, and it enables Keystore to create an audit trail when keys areused.
Keystore can automatically rotate KEKs at regular time intervals, usingGoogle's common cryptographic library to generate new keys. Though we oftenrefer to just a single key, we really mean that data is protected using a keyset: one key is active for encryption, and a set of historical keys is activefor decryption. The number of historical keys is determined by the key rotationschedule. KEKs are backed up for disaster recovery purposes, and they areindefinitely recoverable.
The use of KEKs is managed by ACLs in Keystore for each key, with a per-keypolicy. Only authorized Google services and users are allowed to access a key.The use of each key is tracked at the level of the individual operation thatrequires that key—so every time that a user uses a key, the user isauthenticated and logged. All data access by users is auditable as part ofGoogle's overall security and privacy policies.
Process for accessing encrypted chunks of data
When a Google service accesses an encrypted chunk of data, the followingoccurs:
- The service makes a call to the storage system for the data that it needs.
- The storage system identifies the chunks in which that data is stored(the chunk IDs) and where they are stored.
- For each chunk, the storage system pulls the wrapped DEK that is storedwith that chunk (in some cases, this is done by the service) and sends itto Keystore for unwrapping.
- The storage system verifies that the identified job is allowed to accessthat data chunk based on a job identifier and using the chunk ID. Keystoreverifies that the storage system is authorized to use the KEK that isassociated with the service and to unwrap that specific DEK.
- Keystore does one of the following:
- Passes the unwrapped DEK back to the storage system, whichdecrypts the data chunk and passes it to the service.
- In some rare cases, passes the unwrapped DEK to the service. Thestorage system passes the encrypted data chunk to the service, whichdecrypts the data chunk and uses it.
This process is different in dedicated storage devices, such as local SSDs,where the device manages and protects the device-level DEK.
The following diagram shows this process. To decrypt a data chunk, the storageservice calls Keystore to retrieve the unwrapped DEK for that data chunk.
Encryption key hierarchy and root of trust
Keystore is protected by a root key called the keystore master key, whichwraps all of the KEKs in Keystore. This keystore master key is AES-256 and isitself stored in another key management service, called Root Keystore. (In thepast, the keystore master key was AES-128, and some of these keys remain activefor decrypting data.) Root Keystore stores a much smaller number ofkeys—approximately a dozen per region. For additional security, Root Keystoreisn't run on general production machines, but instead is run only on dedicatedmachines in each Google data center.
Root Keystore in turn has its own root key, called the root keystore masterkey, which is also AES-256 and is stored in a peer-to-peer infrastructure,which is called the root keystore master key distributor, and which replicatesthese keys globally. (In the past, the root keystore master key was AES-128, andsome of these keys remain active for decrypting data.) The root keystore masterkey distributor only holds the keys in RAM on the same dedicated machines asRoot Keystore, and it uses logging to verify proper use. One instance of theroot keystore master key distributor runs for every instance of Root Keystore.
When a new instance of the root keystore master key distributor is started, itis configured with a list of host names of already running distributorinstances. Distributor instances can then obtain the root keystore master keyfrom other running instances. Other than the disaster-recovery mechanismsdescribed inGlobal availability and replication,the root keystore master key exists only in RAM on a limited number of speciallysecured machines.
To address the scenario where all instances of the root keystore master keydistributor in a region restart simultaneously, the root keystore master key isalso backed up on secure hardware devices that are stored in physical safes inhighly secured areas in multiple geographically distributed locations. Thisbackup would be needed only if all distributor instances in a region were to godown at once. Fewer than 100 Google employees can access these safes.
The following diagram shows the encryption key hierarchy. The encryption keyhierarchy protects a chunk of data with a DEK, wrapped with a KEK in Keystore,which is in turn protected by Root Keystore and the root keystore master keydistributor.
Summary of key management
The following list summarizes key management at Google:
- Data is chunked and encrypted with DEKs.
- DEKs are encrypted with KEKs.
- KEKs are stored in Keystore.
- Keystore is run on multiple machines in data centers globally.
- Keystore keys are wrapped with the Keystore master key, which is storedin Root Keystore.
- Root Keystore is much smaller than Keystore and runs only on dedicatedmachines in each data center.
- Root Keystore keys are wrapped with the root keystore master key, whichis stored in the root keystore master key distributor.
- The Root Keystore master key distributor is a peer-to-peerinfrastructure that runs concurrently in RAM on dedicated machinesglobally. Each machine gets its key material from other running instancesin the region.
- In case all instances of the distributor in a region were to go down, amaster key is stored in different secure hardware in physical safes inlimited Google locations.
Global availability and replication
At every level, high availability, low latency, and global access to keys arecritical. These characteristics are needed for key management services to beused across Google.
For this reason, Keystore is highly scalable, and it is replicated thousands oftimes in our data centers globally. It is run on regular machines in ourproduction fleet, and instances of Keystore run globally to support Googleoperations. As a result, the latency of any single key operation is very low.
Root Keystore is run on several machines dedicated to security operations, ineach data center. The Root Keystore master key distributor is run on these samemachines, one-to-one with Root Keystore. The Root Keystore master keydistributor provides a distribution mechanism using agossiping protocol.At a fixed time interval, each instance of the distributor picks a random otherinstance to compare its keys with and reconciles any differences in keyversions. With this model, there is no central node that all of ourinfrastructure depends on. This distribution method lets us maintain and protectkey material with high availability.
Google's common cryptographic library
Google's common cryptographic library isTink,which incorporates our FIPS 140-2 validated module,BoringCrypto.Tink is available to all Google developers. Consistent use of a common librarymeans that only a small team of cryptographers needs to implement this tightlycontrolled and reviewed code, making it unnecessary for every team at Google toindependently develop their own cryptography. A special Google security team isresponsible for maintaining this common cryptographic library for allproducts.
The Tink encryption library supports a wide variety of encryption key types andmodes, and these are reviewed regularly to ensure that they are current with thelatest attacks.
Currently, we use the following encryption algorithms for encryption at restfor DEKs and KEKs. These are subject to change as we continue to improve ourcapabilities and security.
|Cryptographic primitive||Preferred protocols||Other supported protocols|
|Symmetric encryption||AES-GCM (256 bits)|| |
|Symmetric signatures (where used with AES-CBC and AES-CTR above forauthentication)||HMAC-SHA256|| |
Other cryptographic protocols exist in the library and were historicallysupported, but this table covers the primary uses at Google.
Research and innovation in cryptography
To keep pace with the evolution of encryption, we have a team of world-classsecurity engineers tasked with following, developing, and improving encryptiontechnology. Our engineers take part in standardization processes and inmaintaining widely used encryption software.We regularly publish our research in the field of encryption so that everyone—including the general public—canbenefit from our knowledge.
For example, in post-quantum cryptography research, we are working in thefollowing areas:
Standardization: We're contributing to ongoing standardizationefforts for post-quantum cryptography. We co-authored three cryptosystemproposals under consideration by NIST, that are in their third round of thepost-quantum cryptography standardization competition.We are editors of the International Organization for Standardization (ISO)standard onpost-quantum cryptography hash-based signatures.We are co-editors of the Internet Engineering Task Force (IETF) draft onJSON encoding for post-quantum cryptography signatures.
Enablement: We have recently enabled several post-quantumcryptography algorithms in ourTink cryptographic library.This is experimental code that is designed to help educate the communityabout the pros and cons of each approach.
Publications: We recently publishedTransitioning organizations to post-quantum cryptography in Nature. This paper provides an overview on post-quantum cryptographymigration challenges.
For information about using your own encryption keys inGoogle Cloud, seeCustomer-managed encryption keys (CMEK).
For general information on Google Cloud security, see theSecurity section of the Google Cloud website.
For information on Google Cloud compliance and compliancecertifications, see theCompliance section of the Google Cloud website,which includes Google'spublic SOC3 audit report.
For information on Google Workspace encryption and key management, seeHow Google Workspace uses encryption to protect your data,which covers much of the same content included here, but focuses solely onGoogle Workspace. For all Google Workspace solutions, we strive to keepcustomer data protected, and to be as transparent as possible about how wesecure it.
For information about general Google Workspace security, seeGoogle for Work Security and Compliance.
Default encryption of data at rest. Google encrypts all customer content stored at rest, without any action from you, using one or more encryption mechanisms. The following sections describe the mechanisms that we use to encrypt customer content.Is encryption at rest enough? ›
When you encrypt data at rest, you make a hacker's job a lot harder. Any successful hacker would not only have to break into a server, but they would also have to break the encryption or find the key to decrypt the data. This will make their task exponentially longer, or even near impossible.Are Google Docs encrypted at rest? ›
All files uploaded to Drive or created in Docs are encrypted in transit and at rest with AES256 bit encryption. For additional confidentiality, your organization can allow you to encrypt Drive, Docs, Sheets, and Slides files with Workspace Client-side encryption.Is there encryption of data at rest and in transit in Google Cloud Platform? ›
At Google, security is of the utmost importance. We work tirelessly to protect your data—whether it is traveling over the Internet, moving within Google's infrastructure, or stored on our servers. Central to Google's security strategy are authentication, integrity, and encryption, for both data at rest and in transit.Which encryption is best for data at rest? ›
Encryption of Data at Rest
NIST-FIPS recommends encrypting your sensitive data with Advanced Encryption Standard (AES), a standard used by US federal agencies to protect Secret and Top-Secret information. Most commercial encryption products feature at least one implementation of AES.
As described previously, the goal of encryption at rest is that data that is persisted on disk is encrypted with a secret encryption key. To achieve that goal secure key creation, storage, access control, and management of the encryption keys must be provided.Should you encrypt all data at rest? ›
No well-rounded data protection strategy is complete without encryption at rest. A company should protect valuable at-rest data with encryption as this process: Blocks unauthorized access to critical data, whether coming from inside or outside of the organization.Is 256-bit encryption enough? ›
A Secure 256-bit SSL encryption is a method to encrypt and decrypt data transferred between the user's browser and the website server with 256-bit long encryption key. Considered to be most secure technique till date, it is used in SSL and AES alike.Is encryption of data at rest and backup necessary? ›
It is important to back up your data for quick recovery from a data loss or cybersecurity incident. However, you must also ensure that your backups are protected by encrypting them.Is Google Docs completely private? ›
The content you save on Google Docs, Sheets, & Slides is private to you, from others, unless you choose to share it. Learn how to share or stop sharing files in Google Docs, Sheets, & Slides. Google respects your privacy. We access your private content only when we have your permission or are required to by law.
Data At Rest Encryption (DARE) is the encryption of the data that is stored in the databases and is not moving through networks. With DARE, data at rest including offline backups are protected.What is the difference between encryption at rest and in transit? ›
Answer. Encryption at rest is like storing your data in a vault, encryption in transit is like putting it in an armoured vehicle for transport.Why is it important to consider encrypting data at rest in transit and in use? ›
Encryption At Rest
While data is generally less vulnerable at rest than in transit, often, hackers find the data at rest more valuable than data in transit because it often has a higher level of sensitive information–making this data state crucial for encryption.
Data protection at rest aims to secure inactive data stored on any device or network. While data at rest is sometimes considered to be less vulnerable than data in transit, attackers often find data at rest a more valuable target than data in motion.Is it necessary to encrypt data at rest in transit or only under certain circumstances? ›
One of the most effective ways to protect data is by using encryption. That way, even if there are any security breaches or attacks on your company's system, all of the information will be protected. In addition to encryption, best practices for protecting data include: – Encrypting all data in transit and at rest.What type of encryption does Google use for customer data at rest? ›
GCP uses AES-256 encryption by default when data is at-rest in Google Cloud Storage, and data-in-transit is encrypted with TLS by default.What are the 2 types of encryption and which one is better to be used? ›
There are two types of encryption in widespread use today: symmetric and asymmetric encryption. The name derives from whether or not the same key is used for encryption and decryption.Which encryption method is the most secure and why? ›
One of the most secure encryption types, Advanced Encryption Standard (AES) is used by governments and security organizations as well as everyday businesses for classified communications. AES uses “symmetric” key encryption. Someone on the receiving end of the data will need a key to decode it.How do I know if my data at rest is encrypted? ›
Description: You can view the overall encryption state of a cluster by navigating to Prism > Settings (gear icon) > Data-at-Rest Encryption. The page shows the current status and allows you to configure encryption (if not currently enabled).What is the risk of not encrypting data at rest? ›
Unprotected Data in Use Makes You Vulnerable
When a company doesn't encrypt data in use, the company is at risk in the following scenarios: Stolen Credentials – Credential theft is common. A great deal of data is available for hackers to access and exploit.
You can use Transparent Data Encryption (TDE) to encrypt SQL Server and Azure SQL Database data files at rest. With TDE you can encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate.What is an example of encryption at rest? ›
How Encryption at Rest Works. Simply put, data encryption is the process of translating one form of data into another form of data that unauthorized users can't decrypt. For example, you saved a copy of a paid invoice on your server with a customer's credit card information.Will I lose everything if I reset encrypted data? ›
I finally just went for the Reset Encrypted data plunge on my phone and it worked. All it does is reset your keychain. Photos, texts, and all others still intact.Why is encryption not used all of the time? ›
Encryption costs money. Not nearly as much as it did even just a few years ago, but generally, there will be a cost associated with implementing encryption everywhere you truly need it. Organizations need to address this by figuring out why the funding isn't there.Is AES 256 Crackable? ›
AES 256 is virtually impenetrable using brute-force methods. While a 56-bit DES key can be cracked in less than a day, AES would take billions of years to break using current computing technology. Hackers would be foolish to even attempt this type of attack. Nevertheless, no encryption system is entirely secure.Is 128-bit encryption secure enough? ›
128-bit encryption is a data/file encryption technique that uses a 128-bit key to encrypt and decrypt data or files. It is one of the most secure encryption methods used in most modern encryption algorithms and technologies. 128-bit encryption is considered to be logically unbreakable.Is 128-bit key enough? ›
So to crack a 128-bit key with modern hardware is going to take around 500 billion years. Moore's law says that computers get twice as fast every 2 years. In cryptography terms that means that advances in computer power will give you one extra bit every two years.What happens if data is not encrypted? ›
Unprotected sensitive data leads to identity theft, fraud, and theft of financial resources from employees and customers. Data breaches happen to both large, small, public, and private companies. In fact, today hackers are targeting small to mid-sized businesses simply because those networks tend to be less secure.Does Gmail encrypt automatically? ›
Is email from Google users to other Google users encrypted in transit? Yes. This includes Gmail, GSuite and notifications from Google+.Is Google Photos encrypted at rest? ›
When you store your photos, the data you create moves between your device, Google services, and our data centers. We protect this data with multiple layers of security, including leading encryption technology like HTTPS and encryption at rest.
Amazon Location Service provides encryption by default to protect sensitive customer data at rest using AWS owned encryption keys.Does Google use encryption? ›
Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with (“wrapped” by) key encryption keys that are exclusively stored and used inside Google's central Key Management Service.Is email encrypted by default? ›
By default, emails are not encrypted as they travel from your emails servers to the recipient. This means that if hackers are able to compromise this data, they can read your emails and attachments.What level of encryption is Gmail? ›
Green (S/MIME enhanced encryption)
Suitable for your most sensitive information. S/MIME encrypts all outgoing messages if we have the recipient's public key. Only the recipient with the corresponding private key can decrypt this message.
This usually occurs when the recipient doesn't have TLS enabled email services, but more and more email providers are adopting TLS. The catch? Gmail is still not truly end-to-end encrypted, where only the communicators can read the contents of the email.How does AWS encryption at rest work? ›
Encryption at rest automatically integrates with AWS KMS for managing the AWS managed keys for DynamoDB ( aws/dynamodb ) that are used to encrypt your tables. If an AWS managed key doesn't exist when you create your encrypted DynamoDB table, AWS KMS automatically creates a new key for you.Is Google Cloud encrypted? ›
Cloud Storage always encrypts your data on the server side, before it is written to disk, at no additional charge. Besides this standard, Google-managed behavior, there are additional ways to encrypt your data when using Cloud Storage.Are Google Cloud backups encrypted? ›
In an effort to secure users' data while maintaining privacy, Google has announced a new security measure for Android Backup Service that now encrypts all your backup data stored on its cloud servers in a way that even the company can't read it.